[2023年05月最新リリース]PCNSE試験問題はあなたをパスさせる [Q118-Q139]

Share

[2023年05月最新リリース]PCNSE試験問題はあなたをパスさせる

Palo Alto Networks PCNSE試験基本問題とアンサー

質問 118
Only two Trust to Untrust allow rules have been created in the Security policy
- Rule1 allows google-base
- Rule2 allows youtube-base
The youtube-base App-ID depends on google-base to function. The google-base App-ID implicitly uses SSL and web-browsing. When user try to accesss https://www.youtube.com in a web browser, they get an error indecating that the server cannot be found.
Which action will allow youtube.com display in the browser correctly?

  • A. Add SSL App-ID to Rule1
  • B. Create an additional Trust to Untrust Rule, add the web-browsing, and SSL App-ID's to it
  • C. Add the Web-browsing App-ID to Rule2
  • D. Add the DNS App-ID to Rule2

正解: D

 

質問 119
If an administrator does not possess a website's certificate, which SSL decryption mode will allow the Palo Alto networks NGFW to inspect when users browse to HTTP(S) websites?

  • A. SSL Inbound Inspection
  • B. TLS Bidirectional proxy
  • C. SSL Outbound Inspection
  • D. SSL Forward Proxy

正解: D

解説:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClV8CAK
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/decryption/configure-ssl-inbound-inspection.html

 

質問 120
What are three valid actions in a File Blocking Profile? (Choose three)

  • A. Upload
  • B. Alret
  • C. Reset-both
  • D. Forward
  • E. Block
  • F. Continue

正解: B,D,E

解説:
https://live.paloaltonetworks.com/t5/Configuration-Articles/File-Blocking-Rulebase-and-Action-Precedence/ta-p/53623

 

質問 121
An administrator needs to determine why users on the trust zone cannot reach certain websites. The only information available is shown on the following image. Which configuration change should the administrator make?
A)

B)

C)

D)

E)

  • A. Option C
  • B. Option D
  • C. Option B
  • D. Option A
  • E. Option E

正解: B

 

質問 122
Which three firewall states are valid? (Choose three.)

  • A. Functional
  • B. Pending
  • C. Active
  • D. Suspended
  • E. Passive

正解: C,D,E

解説:
Reference:
https://docs.paloaltonetworks.com/pan-os/9-0/pan-os-admin/high-availability/ha-firewall-states.html

 

質問 123
Based on the following image, what is the correct path of root, intermediate, and end-user certificate?

  • A. VeriSign > Symantec > Palo Alto Networks
  • B. VeriSign > Palo Alto Networks > Symantec
  • C. Symantec > VeriSign > Palo Alto Networks
  • D. Palo Alto Networks > Symantec > VeriSign

正解: A

 

質問 124
A web server is hosted in the DMZ and the server is configured to listen for incoming connections on TCP
port 443. A Security policies rules allowing access from the Trust zone to the DMZ zone needs to be
configured to allow web-browsing access. The web server hosts its contents over HTTP(S). Traffic from
Trust to DMZ is being decrypted with a Forward Proxy rule.
Which combination of service and application, and order of Security policy rules, needs to be configured to
allow cleartext web-browsing traffic to this server on tcp/443?

  • A. Rule #1: application: web-browsing; service: service-https; action: allow
    Rule #2: application: ssl; service: application-default; action: allow
  • B. Rule # 1: application: ssl; service: application-default; action: allow
    Rule #2: application: web-browsing; service: application-default; action: allow
  • C. Rule #1: application: web-browsing; service: service-http; action: allow
    Rule #2: application: ssl; service: application-default; action: allow
  • D. Rule #1: application: web-browsing; service: application-default; action: allow
    Rule #2: application: ssl; service: application-default; action: allow

正解: D

 

質問 125
Which two events trigger the operation of automatic commit recovery? (Choose two.)

  • A. when a firewall performs a local commit
  • B. when a firewall HA pair fails over
  • C. when an aggregate Ethernet interface component fails
  • D. when Panorama pushes a configuration

正解: A,D

解説:
Explanation
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-new-features/panorama-features/automatic-panorama-conn Automatic commit recovery allows you to configure the firewall to attempt a specified number of connectivity tests after:
1- you push a configuration from Panorama or
2- commit a configuration change locally on the firewall.
Additionally, the firewall checks connectivity to Panorama every hour to ensure consistent communication in the event unrelated network configuration changes have disrupted connectivity between the firewall and Panorama or if implications to a pushed committed configuration may have affected connectivity.

 

質問 126
An engineer wants to implement the Palo Alto Networks firewall in VWire mode on the internet gateway and wants to be sure of the functions that are supported on the vwire interface What are three supported functions on the VWire interface? (Choose three )

  • A. NAT
  • B. SSL Decryption
  • C. OSPF
  • D. QoS
  • E. IPSec

正解: A,B,D

解説:
Explanation
https://docs.paloaltonetworks.com/pan-os/9-1/pan-os-admin/networking/configure-interfaces/virtual-wire-interfa
"The virtual wire supports blocking or allowing traffic based on virtual LAN (VLAN) tags, in addition to supporting security policy rules, App-ID, Content-ID, User-ID, decryption, LLDP, active/passive and active/active HA, QoS, zone protection (with some exceptions), non-IP protocol protection, DoS protection, packet buffer protection, tunnel content inspection, and NAT."

 

質問 127
A bootstrap USB flash drive has been prepared using a Windows workstation to load the initial configuration of a Palo Alto Networks firewall that was previously being used in a lab. The USB flash drive was formatted using file system FAT32 and the initial configuration is stored in a file named init-cfg.txt. The firewall is currently running PAN-OS 10.0 and using a lab config. The contents of init-cfg.txt in the USB flash drive are as follows:

The USB flash drive has been inserted in the firewalls USB port, and the firewall has been restarted using command: > request restart system Upon restart, the firewall fails to begin the bootstrapping process. The failure is caused because:

  • A. PAN-CS version must be 9.1.x at a minimum, but the firewall is running 10.0.x
  • B. The bootstrap.xml file is a required file, but it is missing
  • C. The USB must be formatted using the ext3 file system. FAT32 is not supported
  • D. The hostname is a required parameter, but it is missing in init-cfg.txt
  • E. Firewall must be in factory default state or have all private data deleted for bootstrapping

正解: E

解説:
The firewall must be in a factory default state or must have all private data deleted.
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/firewall-administration/bootstrap- the-firewall/ bootstrap-a-firewall-using-a-usb-flash-drive

 

質問 128
Refer to the exhibit.

Which will be the egress interface if the traffic's ingress interface is ethernet1/7 sourcing from
192.168.111.3 and to the destination 10.46.41.113?

  • A. ethernet1/6
  • B. ethernet1/5
  • C. ethernet1/3
  • D. ethernet1/7

正解: B

 

質問 129
Which method will dynamically register tags on the Palo Alto Networks NGFW?

  • A. XML-API or the VMware API on the firewall or on the User-ID agent or the CLI
  • B. Restful API or the VMWare API on the firewall or on the User-ID agent or the read-only domain controller (RODC)
  • C. Restful API or the VMware API on the firewall or on the User-ID agent
  • D. XML API or the VM Monitoring agent on the NGFW or on the User-ID agent

正解: D

解説:
Reference:
https://docs.paloaltonetworks.com/pan-os/10-0/pan-os-admin/policy/monitor-changes-in-the-virtual-environmen

 

質問 130
Which CLI command is used to simulate traffic going through the firewall and determine which Security policy rule, NAT translation, static route, or PBF rule will be triggered by the traffic?

  • A. find
  • B. sim
  • C. test
  • D. check

正解: C

 

質問 131
Refer to the exhibit.

Which certificates can be used as a Forwarded Trust certificate?

  • A. Forward_Trust
  • B. Domain Sub-CA
  • C. Domain-Root-Cert
  • D. Certificate from Default Trust Certificate Authorities

正解: B

 

質問 132
View the GlobalProtect configuration screen capture.

What is the purpose of this configuration?

  • A. It forces an internal client to connect to an internal gateway at IP address 192.168.10.1.
  • B. It forces the firewall to perform a dynamic DNS update, which adds the internal gateway's hostname and IP address to the DNS server.
  • C. It enables a client to perform a reverse DNS lookup on 192.168.10.1 to detect that it is an internal client.
  • D. It configures the tunnel address of all internal clients to an IP address range starting at 192.168.10.1.

正解: C

解説:
Reference:
https://www.paloaltonetworks.com/documentation/80/globalprotect/globalprotect-admin-guide/globalprotect-por the-globalprotect-client-authentication-configurations/define-the-globalprotect-agent-configurations
"Select this option to allow the GlobalProtect agent to determine if it is inside the enterprise network.
This option applies only to endpoints that are configured to communicate with internal gateways.When the user attempts to log in, the agent does a reverse DNS lookup of an internal host using the specified Hostname to the specified IP Address. The host serves as a reference point that is reachable if the endpoint is inside the enterprise network. If the agent finds the host, the endpoint is inside the network and the agent connects to an internal gateway; if the agent fails to find the internal host, the endpoint is outside the network and the agent establishes a tunnel to one of the external gateways"

 

質問 133
The firewall determines if a packet is the first packet of a new session or if a packet is part of an existing session using which kind of match?

  • A. 9-tuple match:
    Source IP Address, Destination IP Address, Source port, Destination Port, Source User, Source Security Zone, Destination Security Zone, Application, and URL Category
  • B. 7-tuple match:
    Source IP Address, Destination IP Address, Source port, Destination Port, Source User, URL Category, and Source Security Zone
  • C. 6-tuple match:
    Source IP Address, Destination IP Address, Source port, Destination Port, Protocol, and Source Security Zone
  • D. 5-tuple match:
    Source IP Address, Destination IP Address, Source port, Destination Port, Protocol

正解: C

 

質問 134
Based on PANW Best Practices for Planning DoS and Zone Protection, match each type of DoS attack to an example of that type of attack.

正解:

解説:

Explanation
* Application-Based Attacks
-Target weaknesses in a particular application and try to exhaust its resources so legitimate users can't use it.
An example is the Slowloris attack.
* Protocol-Based Attacks
-Also known as state-exhaustion attacks, they target protocol weaknesses. A common example is a SYN flood attack.
* Volumetric Attacks
-High-volume attacks that attempt to overwhelm the available network resources, especially bandwidth, and bring down the target to prevent legitimate users from accessing its resources. An example is a UDP flood attack.

 

質問 135
Given the following configuration, which route is used for destination 10.10.0.4?

  • A. Route 1
  • B. Route 4
  • C. Route 3
  • D. Route 3

正解: B

 

質問 136
Which three log-forwarding destinations require a server profile to be configured? (Choose three)

  • A. Panorama
  • B. Kerberos
  • C. RADIUS
  • D. Syslog
  • E. SNMP Trap
  • F. Email

正解: D,E,F

 

質問 137
Which is not a valid reason for receiving a decrypt-cert-validation error?

  • A. Unsupported HSM
  • B. Untrusted issuer
  • C. Unknown certificate status
  • D. Client authentication

正解: A

解説:
Per the link https://docs.paloaltonetworks.com/pan-os/7-1/pan-os-new-features/networking-features/ssl-ssh-session-end-reasons
, receiving the decrypt-cert-validation error is valid for the following conditions: expired, untrusted issuer, unknown status, or status verification time-out. "Unsupported HSM" is not a valid reason for receiving a decrypt-cert-validation error.

 

質問 138
Which three firewall states are valid? (Choose three.)

  • A. Functional
  • B. Pending
  • C. Active
  • D. Suspended
  • E. Passive

正解: C,D,E

解説:
Reference:
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/high-availability/ha-firewall-states

 

質問 139
......

2023年最新のリアルな無料Palo Alto Networks PCNSE試験問題集問題と解答:https://jp.fast2test.com/PCNSE-premium-file.html

PCNSE練習テストエンジン購入前に試そう211試験問題:https://drive.google.com/open?id=1fW9qOXTOiwSxW0O1qCnIC3ZnFFaeFYng


弊社を連絡する

我々は12時間以内ですべてのお問い合わせを答えます。

我々の働いている時間: ( GMT 0:00-15:00 )
月曜日から土曜日まで

サポート: 現在連絡 

English Deutsch 繁体中文 한국어